[BlueOnyx:21431] Re: localhost sending 14K emails in a month?

Lewis Gardner lewisg at iglou.com
Thu Sep 28 07:57:14 -05 2017 


Michael Stauber wrote:
> Hi Lewis,
> 
>> According to Usage Information, Email, Senders localhost on one of my
>> 5209R servers has sent 13,990 emails this month. Mostly during one week
>> and one other day.
>>
>> Is there any reasonable explanation for this behavior?
>>
>> What to do?
> 
> No, this sure isn't normal and warrants further investigation. First see
> what else the GUI says. For that check "Server Management" / "Usage
> Information" / "Email" and under "Email Traffic as reported by
> Milter-GeoIP" click on the "All Users" tab.
> 
> Clicks on this tab sometimes are a bit unresponsive. Give it a bit,
> click on it again and eventually it should show. Then sort that by
> "Email out" and it should tell you how much each user account sent in
> regards to outbound emails.
> 
> This might help to identify the account that cause it. If you're
> unlucky, it says "root". Now under "root" it will also register delivery
> failure notices to local or remote users.

The user with the highest message count only sent 79 messages in 
September. The table below this "Messaging flows" reports "Total 
outgoing" as 12,684. Below that is a very frighting graph...


> However, with the username it told you, you can take it to the logfiles.
> If it was "root", you could use this for example:
> 
> cat /var/log/maillog|grep root|grep stat=Sent

For root the output looks normal and legit.

Dropping "grep root" returns a fckton that look questionable.

One such record:
> sendmail[10392]: v8KIPviO025185: to=<craigbeckingham at btinternet.com>, delay=4+13:23:55, xdelay=00:00:00, mailer=esmtp, pri=5340717, relay=mx.bt.lon5.cpcloud.co.uk. [65.20.0.49], dsn=4.0.0, stat=Deferred: 421 Too many messages (1.5.7.3) on 2017/09/25 08:51:00 BST from un-validated IP address: 6...to the volume of email being sent from this IP address. Guide for bulk senders www.bt.com/bulksender


> You can then grep for the message ID, which is "v8RB4X6n003345" in this
> example to get a better picture of that single transaction:

 From the above:
> # cat /var/log/maillog|grep v8P7oUsO000785
> sendmail[785]: v8P7oUsO000785: from=<>, size=662, class=0, nrcpts=1, msgid=<134237383.20179257513 at stadt.freiburg.de>, proto=ESMTP, daemon=MTA, relay=pD9F635BE.dip0.t-ipconnect.de [217.246.53.190]
> sendmail[785]: v8P7oUsO000785: Milter add: header: X-Virus-Scanned: clamav-milter 0.99.2 at colo2.boxwrench.com
> sendmail[785]: v8P7oUsO000785: Milter add: header: X-Virus-Status: Clean
> sendmail[785]: v8P7oUsO000785: Milter add: header: X-Spam-Status: No, score=1.6 required=5.0 tests=ALL_TRUSTED,FROM_NO_USER,\n\tTVD_RCVD_IP,TVD_RCVD_IP4 autolearn=no autolearn_force=no version=3.4.0
> sendmail[785]: v8P7oUsO000785: Milter add: header: X-Spam-Level: *
> sendmail[785]: v8P7oUsO000785: Milter add: header: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on colo2.boxwrench.com
> sendmail[1373]: v8P7oUsO000785: to=<ob.salomon at stadt.freiburg.de>, delay=00:00:06, xdelay=00:00:02, mailer=esmtp, pri=120662, relay=erelay01.kivbf.de. [194.59.36.38], dsn=4.2.0, stat=Deferred: 450 4.2.0 <ob.salomon at stadt.freiburg.de>: Recipient address rejected: Service temporarily unavailable, http://mailsupport.kivbf.de
> sendmail[1373]: v8P7oUsO000785: to=<ob.salomon at stadt.freiburg.de>, delay=00:00:08, xdelay=00:00:04, mailer=esmtp, pri=120662, relay=erelay02.kivbf.de. [194.59.36.39], dsn=4.2.0, stat=Deferred: 450 4.2.0 <ob.salomon at stadt.freiburg.de>: Recipient address rejected: Service temporarily unavailable, http://mailsupport.kivbf.de
> sendmail[1373]: v8P7oUsO000785: to=<ob.salomon at stadt.freiburg.de>, delay=00:00:10, xdelay=00:00:06, mailer=esmtp, pri=120662, relay=erelay03.kivbf.de. [194.59.36.40], dsn=4.2.0, stat=Deferred: 450 4.2.0 <ob.salomon at stadt.freiburg.de>: Recipient address rejected: Service temporarily unavailable, http://mailsupport.kivbf.de
> sendmail[19307]: v8P7oUsO000785: to=<ob.salomon at stadt.freiburg.de>, delay=00:28:51, xdelay=00:00:06, mailer=esmtp, pri=210662, relay=erelay02.kivbf.de. [194.59.36.39], dsn=2.0.0, stat=Sent (Ok, discarded, id=04066-10 - spam)

To me it looks like my server made 4 attempts to send mail from nobody 
"<>" to someone in a beautiful town in Germany. As a side note I'd 
prefer to not harass the citizenry there seeing as they have taken down 
the US flag from their translate and tourism click things...


> See what you can dig up this way and if you need any help with this,
> please file a support ticket via the GUI and tick the checkbox for
> "allow access".

Filed! Any help is always very much appreciated!

More information about the Blueonyx mailing list